Analysis
-
max time kernel
135s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
28-04-2021 21:12
Static task
static1
Behavioral task
behavioral1
Sample
b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exe
Resource
win7v20210410
General
-
Target
b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exe
-
Size
283KB
-
MD5
31ab82365078548dcea62da7c2380b2e
-
SHA1
712fbb4df005439b9810090fd3a2962848e252c4
-
SHA256
b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d
-
SHA512
937bfd9845cc25a6739b8df0cac685c5499f4d55d5f70fff5ce61a4569b7be96d84e987e001b8e8109200c485f681bcc86911a29cc5e5e45b978dbace7da2ce3
Malware Config
Extracted
amadey
2.16
176.111.174.114/Hnq8vS/index.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 9 1560 rundll32.exe 12 912 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
blfte.exepid process 608 blfte.exe -
Loads dropped DLL 10 IoCs
Processes:
b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exerundll32.exerundll32.exepid process 1096 b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exe 1096 b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exe 1560 rundll32.exe 1560 rundll32.exe 1560 rundll32.exe 1560 rundll32.exe 912 rundll32.exe 912 rundll32.exe 912 rundll32.exe 912 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 1560 rundll32.exe 1560 rundll32.exe 1560 rundll32.exe 1560 rundll32.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exeblfte.execmd.exedescription pid process target process PID 1096 wrote to memory of 608 1096 b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exe blfte.exe PID 1096 wrote to memory of 608 1096 b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exe blfte.exe PID 1096 wrote to memory of 608 1096 b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exe blfte.exe PID 1096 wrote to memory of 608 1096 b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exe blfte.exe PID 608 wrote to memory of 1556 608 blfte.exe cmd.exe PID 608 wrote to memory of 1556 608 blfte.exe cmd.exe PID 608 wrote to memory of 1556 608 blfte.exe cmd.exe PID 608 wrote to memory of 1556 608 blfte.exe cmd.exe PID 1556 wrote to memory of 1188 1556 cmd.exe reg.exe PID 1556 wrote to memory of 1188 1556 cmd.exe reg.exe PID 1556 wrote to memory of 1188 1556 cmd.exe reg.exe PID 1556 wrote to memory of 1188 1556 cmd.exe reg.exe PID 608 wrote to memory of 1560 608 blfte.exe rundll32.exe PID 608 wrote to memory of 1560 608 blfte.exe rundll32.exe PID 608 wrote to memory of 1560 608 blfte.exe rundll32.exe PID 608 wrote to memory of 1560 608 blfte.exe rundll32.exe PID 608 wrote to memory of 1560 608 blfte.exe rundll32.exe PID 608 wrote to memory of 1560 608 blfte.exe rundll32.exe PID 608 wrote to memory of 1560 608 blfte.exe rundll32.exe PID 608 wrote to memory of 912 608 blfte.exe rundll32.exe PID 608 wrote to memory of 912 608 blfte.exe rundll32.exe PID 608 wrote to memory of 912 608 blfte.exe rundll32.exe PID 608 wrote to memory of 912 608 blfte.exe rundll32.exe PID 608 wrote to memory of 912 608 blfte.exe rundll32.exe PID 608 wrote to memory of 912 608 blfte.exe rundll32.exe PID 608 wrote to memory of 912 608 blfte.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exe"C:\Users\Admin\AppData\Local\Temp\b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exe"C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e90e419c61\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e90e419c61\4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\1a9f26b569d5df\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\1a9f26b569d5df\scr.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\1a9f26b569d5df\cred.dllMD5
985f9c4d8bf231ca08046bcd44d558eb
SHA1de5711528d94dab76186d9695ce19c3c6c26eec9
SHA25678322121578342e588375350f56edb5e0a6d4b889c6425814590afd1a967e650
SHA512939ded352bf569ddc0ec01c642fb6ddb12d055b8a785fb717daa63e9e3f141ff13a40291c18df2d8ea28b2860f91067b9cfd1a740a587b7726d9cb293155e44f
-
C:\ProgramData\1a9f26b569d5df\scr.dllMD5
a48dc2da2655fd049e37e36fcda28fba
SHA196ce27ab5fec62c6ac3ed96dd1bdc2defad5499e
SHA25676f6c712403a2f6213390ab2a72a82c98c9c48e1b1bde182aa5932bd02a06d43
SHA51237ad66440213cc29ec658158151366afd077a2ff941323b4190279a4344f1b4c55109a5cf80b96abd9bd4d07741a8cdaec5d3651c53b0dd87f2e720c73264490
-
C:\Users\Admin\AppData\Local\Temp\15212513283230931923MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exeMD5
31ab82365078548dcea62da7c2380b2e
SHA1712fbb4df005439b9810090fd3a2962848e252c4
SHA256b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d
SHA512937bfd9845cc25a6739b8df0cac685c5499f4d55d5f70fff5ce61a4569b7be96d84e987e001b8e8109200c485f681bcc86911a29cc5e5e45b978dbace7da2ce3
-
\ProgramData\1a9f26b569d5df\cred.dllMD5
985f9c4d8bf231ca08046bcd44d558eb
SHA1de5711528d94dab76186d9695ce19c3c6c26eec9
SHA25678322121578342e588375350f56edb5e0a6d4b889c6425814590afd1a967e650
SHA512939ded352bf569ddc0ec01c642fb6ddb12d055b8a785fb717daa63e9e3f141ff13a40291c18df2d8ea28b2860f91067b9cfd1a740a587b7726d9cb293155e44f
-
\ProgramData\1a9f26b569d5df\cred.dllMD5
985f9c4d8bf231ca08046bcd44d558eb
SHA1de5711528d94dab76186d9695ce19c3c6c26eec9
SHA25678322121578342e588375350f56edb5e0a6d4b889c6425814590afd1a967e650
SHA512939ded352bf569ddc0ec01c642fb6ddb12d055b8a785fb717daa63e9e3f141ff13a40291c18df2d8ea28b2860f91067b9cfd1a740a587b7726d9cb293155e44f
-
\ProgramData\1a9f26b569d5df\cred.dllMD5
985f9c4d8bf231ca08046bcd44d558eb
SHA1de5711528d94dab76186d9695ce19c3c6c26eec9
SHA25678322121578342e588375350f56edb5e0a6d4b889c6425814590afd1a967e650
SHA512939ded352bf569ddc0ec01c642fb6ddb12d055b8a785fb717daa63e9e3f141ff13a40291c18df2d8ea28b2860f91067b9cfd1a740a587b7726d9cb293155e44f
-
\ProgramData\1a9f26b569d5df\cred.dllMD5
985f9c4d8bf231ca08046bcd44d558eb
SHA1de5711528d94dab76186d9695ce19c3c6c26eec9
SHA25678322121578342e588375350f56edb5e0a6d4b889c6425814590afd1a967e650
SHA512939ded352bf569ddc0ec01c642fb6ddb12d055b8a785fb717daa63e9e3f141ff13a40291c18df2d8ea28b2860f91067b9cfd1a740a587b7726d9cb293155e44f
-
\ProgramData\1a9f26b569d5df\scr.dllMD5
a48dc2da2655fd049e37e36fcda28fba
SHA196ce27ab5fec62c6ac3ed96dd1bdc2defad5499e
SHA25676f6c712403a2f6213390ab2a72a82c98c9c48e1b1bde182aa5932bd02a06d43
SHA51237ad66440213cc29ec658158151366afd077a2ff941323b4190279a4344f1b4c55109a5cf80b96abd9bd4d07741a8cdaec5d3651c53b0dd87f2e720c73264490
-
\ProgramData\1a9f26b569d5df\scr.dllMD5
a48dc2da2655fd049e37e36fcda28fba
SHA196ce27ab5fec62c6ac3ed96dd1bdc2defad5499e
SHA25676f6c712403a2f6213390ab2a72a82c98c9c48e1b1bde182aa5932bd02a06d43
SHA51237ad66440213cc29ec658158151366afd077a2ff941323b4190279a4344f1b4c55109a5cf80b96abd9bd4d07741a8cdaec5d3651c53b0dd87f2e720c73264490
-
\ProgramData\1a9f26b569d5df\scr.dllMD5
a48dc2da2655fd049e37e36fcda28fba
SHA196ce27ab5fec62c6ac3ed96dd1bdc2defad5499e
SHA25676f6c712403a2f6213390ab2a72a82c98c9c48e1b1bde182aa5932bd02a06d43
SHA51237ad66440213cc29ec658158151366afd077a2ff941323b4190279a4344f1b4c55109a5cf80b96abd9bd4d07741a8cdaec5d3651c53b0dd87f2e720c73264490
-
\ProgramData\1a9f26b569d5df\scr.dllMD5
a48dc2da2655fd049e37e36fcda28fba
SHA196ce27ab5fec62c6ac3ed96dd1bdc2defad5499e
SHA25676f6c712403a2f6213390ab2a72a82c98c9c48e1b1bde182aa5932bd02a06d43
SHA51237ad66440213cc29ec658158151366afd077a2ff941323b4190279a4344f1b4c55109a5cf80b96abd9bd4d07741a8cdaec5d3651c53b0dd87f2e720c73264490
-
\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exeMD5
31ab82365078548dcea62da7c2380b2e
SHA1712fbb4df005439b9810090fd3a2962848e252c4
SHA256b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d
SHA512937bfd9845cc25a6739b8df0cac685c5499f4d55d5f70fff5ce61a4569b7be96d84e987e001b8e8109200c485f681bcc86911a29cc5e5e45b978dbace7da2ce3
-
\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exeMD5
31ab82365078548dcea62da7c2380b2e
SHA1712fbb4df005439b9810090fd3a2962848e252c4
SHA256b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d
SHA512937bfd9845cc25a6739b8df0cac685c5499f4d55d5f70fff5ce61a4569b7be96d84e987e001b8e8109200c485f681bcc86911a29cc5e5e45b978dbace7da2ce3
-
memory/608-65-0x0000000000000000-mapping.dmp
-
memory/608-72-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/912-81-0x0000000000000000-mapping.dmp
-
memory/912-88-0x0000000000270000-0x00000000002AD000-memory.dmpFilesize
244KB
-
memory/1096-60-0x0000000075281000-0x0000000075283000-memory.dmpFilesize
8KB
-
memory/1096-62-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/1096-61-0x00000000003A0000-0x00000000003D1000-memory.dmpFilesize
196KB
-
memory/1188-71-0x0000000000000000-mapping.dmp
-
memory/1556-69-0x0000000000000000-mapping.dmp
-
memory/1560-73-0x0000000000000000-mapping.dmp
-
memory/1560-80-0x00000000006A0000-0x00000000006C4000-memory.dmpFilesize
144KB